The security week that was: 08/20/10 (Encrypted emails)

by By Geoff Kohl, editor-in-chief On Aug 20, 2010

RIM's fight to preserve encryption of emails

There's a lot of talk about public-private partnerships on security, but there also has to be a clear division between the two on what is private and what is not. For example, businesses want police to respond to help investigate major crimes, and police may want businesses to share information when their investigations hit a point at which they need emails or phone call lists. In the U.S. at least, this latter form of partnership (the providing of emails and phone records) is provided by subpoena. It's not that the businesses aren't willing to provide that information, but they want a specific and direct request, because such a direct police request allows them to maintain to their customers that they respect their clients' privacy up to the point that the judicial system supersedes that privacy protection with a direct and targeted demand.

So that's why SIW has been tracking news about RIM/BlackBerry's encrypted emails (see also prior coverage on this topic). The news, in summary, is that RIM provides an email handling service to its BlackBerry customers, and those emails are encrypted to ensure the privacy of those messages is maintained. The second part of the news is that some nations are objecting to the fact that they can't read all the emails being sent to their citizenry because those emails are encrypted by RIM, and RIM isn't just pushing over and giving the governments the keys to their digital castle.

Consider for a moment that the BlackBerry smartphones are still the dominant smartphones in the market (although Apple and Google are trying to change that with the iPhone and Android platforms) and that the BlackBerry has become the quintessential business device, especially for senior business leadership. It just makes perfect sense that RIM provides encryption of these emails, and it makes sense that RIM isn't handing away those encryption keys willy-nilly to whatever government that is requesting them.

Were RIM to give up the keys, and those emails became unencrypted, they might accidentally be made available to wrong persons in these governments. After all, once RIM gives away those encryption keys, the company would have difficulty retaining control over how they were used, and at that point, why would encryption even be necessary? (If you think things really stay private inside a government, point your web browser over to Wikileaks where you'll find tons of government documents from around the world). The argument from such governments for access to RIM's BlackBerry emails is that potential terrorists could use encrypted email systems and thus remain under the radar of law enforcement, and that's why they need full access to the emails. But that's a week argument; it holds little water. And under that type of argument, personal privacy ends up on a slippery slope.

Here's why. Were a government to require every citizen to file a report of every in-person private conversation (the kind of conversation you might have over lunch at your home with your friends), the government would be laughed at or face a political revolt from its citizenry. It's just a preposterous idea. Now consider that in today's world, we communicate digitally. We see little difference between the conversations we have face-to-face with each other from the ones we have over email or instant messaging programs. I would argue that the populace sees digital communication in the same light as personal face-to-face communication. It's not open to the government and won't be shared unless the government has specific insight that the individual(s) involved might be or has been involved in a crime, and even then it can't be compelled to be shared until there is a legal process created (and the person is put upon a judge's witness stand or in front of a congressional inquiry board).

Finally, it's not like RIM/BlackBerry is the only encrypted communications provider. What would these nations do next? Would they go after secure communications providers like Gmail, Skype, Hushmail, most company's internal email systems, and even security certificate providers like Comodo and Thawte? According to this article, that might not be such a far-fetched idea! I suspect that these nations will eventually acquiesce quietly to RIM's ability to preserve encryption, but we'll keep tracking this topic for you.

For another angle on smartphone security, take a look at my blog post on The Security Check this week, which looks at biometrics and a fingerprint smudge hack for access smartphones.

In other news
Flir acquires ICx, Intel gets into cybersecurity, new chairman at PSIA, dealer acquistions